Azure API 管理 - 通过客户端证书的安全 API [英] Azure API Management- secure API through Client Certificate
问题描述
我正在使用开箱即用的 Echo API Get 请求测试客户端证书功能的身份验证,我添加了一个入站规则来检查请求是否具有证书
I am testing authenticate against Client Certificate functionality with out of the box Echo API Get request, I have added a inbound rule to check the request has certificate
我使用的是自签名证书,我已经在 CA 和客户端证书下更新了它
I am using self signed certificate, I have updated it under CA and client certificates
<inbound>
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="403" reason="Invalid client certificate"/>
</return-response>
</when>
</choose>
<base />
</inbound>
在我的客户端应用程序中,我使用以下代码拨打电话
In my client Application, I am using below code to make a call
public static void MakeAnAzureApiCall()
{
var url = @"https://xxxx.azure-api.net/echo/resource?param1=sample";
var handler = new WebRequestHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
SecureString sec = new SecureString();
string pwd = "P@ssw0rd";
pwd.ToCharArray().ToList().ForEach(sec.AppendChar);
sec.MakeReadOnly();
var cert = new X509Certificate2(@"C:\temp\apim.pfx", sec, X509KeyStorageFlags.MachineKeySet);
//X509Certificate2.CreateFromCertFile(@"C:\temp\apim1.cer");
handler.ClientCertificates.Add(cert);
var client = new HttpClient(handler);
var request = new HttpRequestMessage(HttpMethod.Get, url);
request.Headers.TryAddWithoutValidation("Ocp-Apim-Subscription-Key", "xxxxxxxxxxxxxxxxxx");
var response = client.SendAsync(request).Result;
string responseString = response.Content.ReadAsStringAsync().Result;
}
我总是从 API 管理部门收到 403 响应,看起来 APIM 从未收到过证书.有谁知道我在这里做错了什么?
I am always getting 403 response from API management, looks like cert never received to APIM. Could any one know what I am doing wrong here?
EDIT -1 这是来自 Azure 的跟踪文件
EDIT -1 Here is the trace file from Azure
`
{
"traceId":"421658ba50fb480786757c8d7c22da48",
"traceEntries":{
"inbound":[
{
"source":"api-inspector",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0002782",
"data":{
"request":{
"method":"GET",
"url":"https://doddapim.azure-api.net/echo/resource?param1=sample",
"headers":[
{
"name":"Ocp-Apim-Subscription-Key",
"value":"e7f21197ef6f4628bdcde8f23394812d"
},
{
"name":"Postman-Token",
"value":"c4f8ef9a-6428-4781-bf4a-e774145c14e9"
},
{
"name":"X-Forwarded-For",
"value":"10.26.60.106"
},
{
"name":"X-BlueCoat-Via",
"value":"ee27777141854371"
},
{
"name":"Cache-Control",
"value":"no-cache"
},
{
"name":"Connection",
"value":"Keep-Alive"
},
{
"name":"Accept",
"value":"*/*"
},
{
"name":"Accept-Encoding",
"value":"gzip,deflate"
},
{
"name":"Host",
"value":"doddapim.azure-api.net"
},
{
"name":"User-Agent",
"value":"PostmanRuntime/7.15.2"
}
]
}
}
},
{
"source":"api-inspector",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0002814",
"data":{
"configuration":{
"api":{
"from":"/echo",
"to":{
"scheme":"http",
"host":"echoapi.cloudapp.net",
"port":80,
"path":"/api",
"queryString":"",
"query":{
},
"isDefaultPort":true
},
"version":null,
"revision":"1"
},
"operation":{
"method":"GET",
"uriTemplate":"/resource"
},
"user":"-",
"product":"-"
}
}
},
{
"source":"cors",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0014853",
"data":"Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."
},
{
"source":"cors",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0014872",
"data":"Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."
},
{
"source":"client-certificate-handler",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0014961",
"data":"Requesting client certificate because next handler requires access to it."
},
{
"source":"client-certificate-handler",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0017793",
"data":"No client certificate received."
},
{
"source":"choose",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0017844",
"data":{
"message":"Expression was successfully evaluated.",
"expression":"context.Request.Certificate == null",
"value":true
}
},
{
"source":"set-status",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0017909",
"data":{
"message":[
"Response status code was set to 403",
"Response status reason was set to 'Invalid client certificate'"
]
}
},
{
"source":"return-response",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0017946",
"data":{
"message":"Return response was applied",
"response":{
"status":{
"code":"Forbidden",
"reason":"Invalid client certificate"
},
"headers":[
]
}
}
}
],
"outbound":[
{
"source":"transfer-response",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0018163",
"data":{
"message":"Response headers have been sent to the caller."
}
}
]
}
}
`
推荐答案
最后,我想通了.代理阻止客户端将证书发送到服务器.代码或配置没有任何问题.
Finally, I figured it. Proxy is blocking the client from sending the certificate to the server. Nothing wrong with code or configuration.
这篇关于Azure API 管理 - 通过客户端证书的安全 API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!